Security

Last Updated: June 14, 2024

Introduction

We at Kritik carry high standards for the security of user data to ensure that all customer data is kept secure and safe. We are committed to adhering to SaaS industry guidelines and practices for maintaining data and information integrity in alignment with standards and best practices.

Organizational Security

Personnel Security

Kritik's security practices apply to all employees, independent contractors and anyone with direct access to our internal system and unescorted access to the office space at Kritik. Every employee must agree to our terms of confidentiality before initial access to our internal systems. All-access shall be removed immediately upon termination of employment at Kritik.

Policies and Standards

As part of our Information Security Management System, Kritik maintains a set of 9 related policies and procedures that help ensure that our customers can rely on Kritik employees to behave ethically and to provide our services operate securely. Policy topics include but are not limited to:

Authorization/Authentication

Kritik abides by the least privilege principle; therefore, employees only have access to the data that they must handle to complete their current responsibilities in their role. When hiring an employee, Kritik grants access to a small number of internal systems; however, their direct manager or the system owner must approve any requests for additional access. For administrative access to systems containing any sensitive data, Kritik employs multi-factor authentication whenever it is possible.

Disaster Recovery and Business Continuity

Kritik has annual reviews and revisions of the business continuity and disaster recovery plans. Our production operations are distributed across multiple availability zones for resiliency and automatic recovery. In each availability zone our cloud provider has redundant power and connectivity to the internet. Kritik also stores backups from our primary operating environment in a separate region.

Third-Party Service Providers

For certain aspects of our operations, Kritik uses third party providers, including Amazon Web Services (AWS), Stripe, and Intercom. We take appropriate steps to ensure that the security stance of Kritik is maintained where those organizations can have an impact on the safety of our production environment or customer data. Kritik establishes agreements with all third-party providers that require them to honour our customers' confidentiality commitments.

Kritik is hosted on AWS and we make the most of their industry leading security compliance, standards and expertise. More details are explained below under Physical Security.

Kritik uses Intercom for our service support inquiries. Intercom complies with SOC2 (Type II) Trust Services Principles, GDPR, and the Cloud Security Alliance. As we do, they host their data and services on AWS. For more information, see their security page.

Security Incident Response

Kritik has documented procedures and policies for responding to security incidents and is reviewed and updated annually. Our production operations team manages all incidents, grading them according to their severity and determining the steps required to remediate.

Physical Security

Kritik hosts our infrastructure on AWS whose data centers are equipped with multiple physical barriers of access, including:

See this whitepaper for more information on AWS security processes. Kritik employees do not have physical access to any AWS data centers, servers, networking equipment, or storage. The Kritik offices are access controlled by electronic access cards.

Technical Security Measures

Data Encryption

Secure encryption is used for all Kritik data in transit over public networks, including all data transmitted between servers and Kritik clients. We use HTTP Strict Transport Security and redirect all unencrypted HTTP connections to secure HTTPS connections. All traffic uses modern cipher suites with Forward Secrecy.

Data at rest is encrypted using an industry standard AES-256 encryption algorithm; including but is not limited to databases, files, and backups.

Network Security

To ensure customer data is kept safe, multiple layers of security are employed to prevent accidental or malicious data access. The production environment is separated from test and development. Kritik limits administrative access to the production environment to support staff and to engineers with a specific business need.

Kritik severely restricts access to the production environment. Services are hosted in a private VPC not accessible to customers. Services are given private, non-routable IP addresses, and customers can only access them through a dedicated application load balancer on port 80 or 443.

Infrastructure

Customer data is hosted securely in a database and a cloud file store. The Kritik application is only permitted to access required data to ensure data privacy and to avoid cross-customer data access. All the data in our system is tagged by account, and each request to our system requires a context for the account.

Secure Development Lifecycle

Safety is a critical part of the lifecycle of Kritik's software development life cycle (SDLC), and our systems are designed to follow OWASP principles. All modifications to the infrastructure or production code of Kritik shall be subject to code review. Application deployment is done automatically using a specified code pipeline. A deploy takes a known-good container, adds and compiles the latest code and registers it as an immutable infrastructure container. This container is then provisioned by replacing the currently running instance. To check code changes before delivery, Kritik uses testing environments, automated testing, manual code reviews and automated static code analysis. We have a continuous deployment model, so our customers immediately benefit from improvements in bug fixes and upgrades. Also, our development process allows for the immediate prioritization of critical updates and remedies for vulnerability. To ensure that third-party code we rely on does not contain any known security vulnerabilities, Kritik also employs dependency vulnerability monitoring.

Logging and Monitoring

All-access to production systems is logged and monitored by the operations team at Kritik. To ensure that it meets a legitimate business need, we review and approve each request for elevated access in the production environment. Through our on-call rotation, Kritik's operations team provides 24/7 support, and we have alarms in place to ensure that all systems are operating as expected.

File and Database Backups

In addition to complete daily snapshots, our production databases are backed up to a separate AWS region. Access is only available on an as needs basis. All backups are encrypted and stored in a different geographical region with separate keys from the original production data. At least annually, Kritik performs backup restoration drills to verify the process and ensure we can recover quickly in the event of a disaster.

Conclusion

Kritik takes its user's data security seriously, and we are committed to ensuring that all customer data is kept confidential and secure.